[tor-bugs] #9445 [Tor Launcher]: Tor Launcher should be more relaxed about bridge line input
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 21 01:49:36 UTC 2013
#9445: Tor Launcher should be more relaxed about bridge line input
---------------------------------------------------+------------------------
Reporter: bastik | Owner: brade
Type: task | Status: new
Priority: major | Milestone:
Component: Tor Launcher | Version:
Keywords: tbb-3.0-stable-blocker, tbb-usability | Parent: #9444
Points: | Actualpoints:
---------------------------------------------------+------------------------
Comment(by sysrqb):
Replying to [comment:10 mikeperry]:
> As I said in #9156, I think the most sane way forward here is to check
to see if 'bridge ' is present at the beginning of the line, and if yes,
accept it, otherwise prepend 'bridge ' to it and shove it into
SETCONF+SAVECONF/torrc, and let Tor decide if it is actually valid with
respect to the PT schemes installed or not. That way we can support both
formats in Tor Launcher.
>
This will be a good way to do it because users may try to reuse the
bridges they added in Vidalia, and the settings menu in Vidalia does not
display the 'Bridge' keyword, so they will likely not include it.
> Are there any code exec-level dangers to pasting arbitrary bridge lines
with the current PT scheme?
At present, all argument validation is (supposed to be) handled by the PT.
Tor Launcher can probably perform some validation of the basic syntax, but
it's not expected to do so for the optional arglist (which becomes a deep,
dark hole). None of the fully-implemented PTs use the optional arglist, so
there isn't a way to pass any kind of executable string to them. However,
this is possible, but any implemented PT that relies on external args for
execing will need extensive validation checks - something I don't think
Tor Launcher should be expected to implement.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9445#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list